5 matches found
CVE-2026-40353 wger: Stored XSS via Unescaped License Attribution Fields
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attributionlink property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields such as licenseauthor without escaping, and templates render the result using Django's...
CVE-2026-40353 wger: Stored XSS via Unescaped License Attribution Fields
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attributionlink property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields such as licenseauthor without escaping, and templates render the result using Django's...
CVE-2026-40353
CVE-2026-40353 affects wger (versions 2.5 and earlier) where AbstractLicenseModel.attribution_link builds HTML by directly interpolating user-controlled fields (e.g., license_author) without escaping, and templates render it with Django’s safe filter. This allows an authenticated user to store an...
GHSA-6F54-QJVM-WWQ3 wger has Stored XSS via Unescaped License Attribution Fields
Stored XSS via Unescaped License Attribution Fields Summary The AbstractLicenseModel.attributionlink property in wger/utils/models.py constructs HTML strings by directly interpolating user-controlled fields licenseauthor, licensetitle, licenseobjecturl, licenseauthorurl, licensederivativesourceur...
PT-2026-33300
Stored XSS via Unescaped License Attribution Fields Summary The AbstractLicenseModel.attribution link property in wger/utils/models.py constructs HTML strings by directly interpolating user-controlled fields license author, license title, license object url, license author url, license derivative...